Bug 1217051 - Enable ptrace_scope=1 by default on openSUSE Tumbleweed
Summary: Enable ptrace_scope=1 by default on openSUSE Tumbleweed
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: 64bit openSUSE Tumbleweed
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Johannes Segitz
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-13 01:06 UTC by Archer Allstars
Modified: 2024-05-03 09:38 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Archer Allstars 2023-11-13 01:06:43 UTC 
Currently, on openSUSE Tumbleweed, ptrace_scope is disabled by default (ptrace_scope=0). This makes Chromium sandboxing status showing as no and red colored for both Ptrace Protection with Yama LSM entries.

Enabling ptrace_scope=1 this fixed the issue. And I think it's a security hardening for the system.

There's a request to enable this feature on SUSE 15 SP4: https://bugzilla.suse.com/show_bug.cgi?id=1198601

I am requesting this on openSUSE Tumbleweed.

For reference, ptrace_scope is enabled on Ubuntu since 10.10.
Comment 1 Johannes Segitz 2023-11-16 08:09:03 UTC 
Yes, we should have this set to 1. That shouldn't break most use cases and improves security. I'll push for that
Comment 3 Johannes Segitz 2023-11-16 09:24:44 UTC 
I opened a PR for this: https://github.com/openSUSE/aaa_base/pull/138
Comment 4 Archer Allstars 2023-11-19 18:03:14 UTC 
ptrace_scope=1 has been merged upstream, see https://github.com/openSUSE/aaa_base/pull/138